It is important that we properly secure your data. We are careful with it, and we comply with laws such as the General Data Protection Regulation (GDPR).
The GGDs are responsible for your personal data If you take a coronavirus test. GGD GHOR Nederland manages the CoronIT IT system for the GGDs. We use this system to use and store your personal data. We follow all laws as we do this. This means that we handle your personal data properly and safely. We must also tell you what data we have about you, what we do with it, and who works with it.
We share your data with the following organizations:
• The GGD: Local GGD departments and GGD doctors (called the GGD in this document)
• GGD GHOR Nederland
• The laboratory that works with your coronavirus test
• The IT provider (Topicus) of CoronIT and its sub-processors
• Teleperformance call centre
Did you make an appointment for a coronavirus test through the call centre, the coronatest website or a doctor? Then your personal data will be transferred to CoronIT. CoronIT is the administration system for the test process and communication. It lets the GGDs see whose test result it is. Normally, the GGD GHOR cannot see this unless there is a problem that our Service Desk needs to solve. Then they will be allowed to see this data.
We use your personal data to be able to run a coronavirus test. We also use it to tell the GGD and you about the test result. Would you like to know which personal data we ask for? And what else we use it for? Please take a look at the section below called What else do we use your personal data for?
Here is a brief description of what happens to your personal data.
See below for more information about all of the steps.
STEP 1: You sign up for a test
There are various ways to make an appointment:
You can make an appointment in 3 ways:
1. Signing up through the coronatest website
You can go to the coronatest website and tell us which symptoms you have. If you have symptoms that are related to the coronavirus, we will ask you a number of questions. For example: have you been in contact with people who were infected with the coronavirus?
You can then log in with your DigiD and choose a date, time and test location. We will also ask you for your phone number and email address. That way, we can send you confirmation and contact you if needed. You will receive confirmation of your test appointment by e-mail and SMS
2. Signing up through the call centre
You can call the call centre to make an appointment. The employee at the call centre will register your personal data. Then they will make an appointment for your coronavirus test. You will receive confirmation of your test appointment by e-mail and SMS.
3. Signing up through a company doctor
A doctor may check to see whether you need a coronavirus test. If you do, they will register your personal data. They will then schedule an appointment for your coronavirus test. You will receive confirmation of your test appointment by e-mail and SMS.
STEP 2: You take the test
The GGD does the coronavirus test. First, they look up your personal data in their administration system. Then they make sure that this data is linked to the test tube with your test and the barcode on it.
A GGD employee will do the test for you. They will put a cotton swab with cells from your nose and throat into the test tube.
STEP 3: Your test goes to the laboratory
The test tube is placed in safe packaging. A courier then takes the test tube to a laboratory.
STEP 4: They analyze your test
The laboratory will then analyze the coronavirus test. The result of this test might be:
The laboratory will enter the result in the administration system.
STEP 5: You get the result
The laboratory will tell the administration system which result belongs to which barcode. This links the barcode back to your personal data. Then you will find out the result. This can be done in the following ways:
The GGD will contact you if the result is positive and you have the coronavirus. The GGD will also talk about the next steps with you.
It is important that we know how many infections there are in the Netherlands and how many tests have been done. We use your data to find this out, but in a general, anonymous way. This means that we don’t see any of your personal data in the information. Your data might also be used for scientific research. This is also done anonymously, and it follows the rules that apply to scientific research.
We will ask you for your permission if we want to record your telephone conversation with a call centre employee. We will only record the conversation if you give us this permission. We use these recordings to help improve our work. We also use something called ‘automatic speech analysis’ to do this. Here’s how it works. The computer ‘listens’ to the recording of your telephone conversation and looks for specific words. This helps us check for things like employee fraud, or employees who give medical advice when they shouldn’t. It also helps us understand why somebody was not able to make an appointment.
We do not use your personal data for anything else. Just the things we have explained above.
We need your personal data to run the coronavirus test properly. And to let you know the result.
These are the types of personal data we need from you:
You log in to the coronatest website with your DigiD. This will help you safely make your appointment. It will also let us know who is making the appointment. We will not be able to see your DigiD username or password.
Do you work in education or healthcare and can you make an appointment through the priority line? If so, we would like to ask for some extra information to verify this. This may include an AGB code or a BRIN number. If you don’t have the verification information we need, you will need to use 0800-1202 or make an appointment online.
The General Data Protection Regulation (GDPR) states that we can only use your personal data if we have certain reasons. These are called ‘valid’ reasons. The GDPR states that these valid reasons are: consent, agreement, legal obligation, vital interest, public task / public interest or legitimate interest.
We use your data to fight an infectious disease epidemic. This is a public task or a public interest task. The GGD is also required by law to record, check and follow up on data for these types of diseases. We have to report our test results to the National Health Institute (RIVM). This is stated in the Wet publieke gezondheid (translated here as Public Health Act).
The laws that apply here are:
We will only record the conversation with the call centre employee if you give us permission. We will ask you this before the conversation starts. The law that applies is GDPR Article 6, paragraph 1a and Article 9, paragraph 2a.
We keep your personal data for a maximum of five years. This is allowed by the Wet publieke gezondheid (translated here as Public Health Act). After this time, we destroy the data or make it anonymous.
During the corona test, an employee will use a cotton swab to remove cells from your nose and throat. This cotton swab is sent to a laboratory to be tested. How long the laboratory keeps the cotton swab depends on the result of the test:
We do not collect your DNA.
We will ask for your permission if we want to keep your personal data longer. The only time we wouldn’t ask you this is if we need to keep it longer because of another law.
We keep recordings of conversations with the call centre for 14 days. We use them to check the quality of our work and handle complaints. We delete the recordings after 14 days. Sometimes, there is a complaint or problem related to the recording. If this happens within the 14 days, then we keep the recording until we have dealt with the complaint or solved the problem. We make reports based on the speech analysis of the recordings and keep these reports for up to 14 months. They don’t contain any personal data.
We think it is important to keep your personal data safe. Therefore, we make agreements with the people and organizations that process the data for us. The agreements say what they can do with your data for us.
What else do we do?
These are your rights under the law:
You can contact the GGD that performed your test for all of these situations.
Do you have questions or complaints about the use of your personal data? Please contact the Data Protection Officer at the GGD that performed your test. Every GGD has a Privacy Statement. This states who the Officer is.
Appendix 1 lists the website addresses for all GGDs.
You can also report a complaint to GGD GHOR Nederland. You can do this by sending your complaint to the GGD GHOR Nederland’s Data Protection Officer. The email address is firstname.lastname@example.org.
What can you do if you don’t agree with the outcome or the way we handled your complaint? Then you can send a complaint to the Dutch Data Protection Authority. You can do this at this website: https://autoriteitpersoonsgegevens.nl/nl/vvoor-u-een-klacht-indient
We will adjust this privacy statement as necessary. For example, if we have to change who processes personal data, or which personal data we use.
We last updated this statement on December 23, 2020.
Would you like to know which GGD belongs to your municipality? You can see this at www.ggd.nl.